HIPAA Fines May Be Accompanied by Corrective Action Plans for Health Care Providers
In serious breach cases, the HHS Office for Civil Rights may impose CAPs to prevent breaches from recurring.
The Office for Civil Rights (OCR) in the US Department of Health and Human Services has progressively increased fines for health care providers who experience HIPAA breaches (like Advocate Health Care's 2016 record-setting $5.5 million).
These 7-figure fines have garnered a lot of attention, but there is another deterrent that can be just as painful, if not more so: the corrective action plan (CAP).
“Most people are struck by the monetary fine, but if you are subject to a CAP, you quickly realize that it can be a similarly severe penalty,” said Dianne Bourque, of the Boston law firm Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, PC. Where fines are levied as punishment for breaches, a CAP is intended to correct underlying compliance problems and prevent breaches from recurring. Regulated entities must comply under OCR's strict supervision. According to Bourque, a CAP leaves providers with little control over the timeline or the process for implementing compliance fixes.
"Entities subject to a CAP will spend years under close OCR supervision after settling a breach," Bourque said. “It becomes a very aggressive, closely monitored process. Everything the entity does is subject to OCR's timing and oversight.”
For instance, when the entity has to draft policies and procedures, OCR may allow 30 to 60 days to do so. OCR will review them, and if they don't like the drafts, they will require revisions until the drafts are deemed acceptable. Every step of the CAP will have some kind of deadline.
Another challenge is the introduction of a third-party monitor. CAPs can require the regulated entity to find, retain, and pay a third party to independently monitor compliance efforts in conjunction with OCR's oversight.The monitor will perform site inspections – sometimes unannounced – and can talk with employees, inspect computers, and review compliance materials.
A CAP can also make it more difficult to work with other providers or business partners. For example, a CAP may make it difficult to change a business process without requesting modification of CAP requirements from OCR.
Entities under a CAP can also be required to do additional reporting that which is normally required under HIPAA. The following are examples:
- An entity may have to develop or revise HIPAA compliance policies and procedures, usually within 60 days, and send them to OCR for approval. After OCR provides feedback, the entity may have 30 days to revise the documentation. Then, within 30 days of final approval by OCR, those plans will have to be implemented. The entity may then have another month to provide a comprehensive report to OCR documenting implementation, including completion of an enterprise-wide risk assessment or training dates, for example.
- If encryption is an issue, an entity may have to provide encryption information multiple times over a CAP period. The entity may be required to provide a list of the encrypted devices, written evidence that they were encrypted, and justification for anything not encrypted.
- An entity may be given a limited time frame within which to provide HIPAA security training to all employees, documenting the materials used, topics, and dates of training for OCR.
- CAP-related documentation needs to be retained and available should OCR request it for a number of years beyond a CAP.
In the end, if an entity does not comply with a CAP, OCR can find the entity in breach of its original resolution agreement and impose additional fines.